Security: The Year in Review

Perhaps the best thing that can be said about the events of 2009 is that things largely went according to plan. There were the requisite distributed denial of service (DDoS) attacks, data breaches, and vulnerability exploits -- along with a slow-but-study uptick in spam levels. Security professionals battled a host of new viral or malware entrants and an overall surge in botnet activity -- but all of these things were to some degree anticipated.

Compared to other market segments, the security space was a relative safe harbor in a year of economic turbulence: consider the enterprise systems segment, where sales of bellwether technologies (such as servers) reached all-time lows. By contrast, sales of security-related technologies (along with demand for security know-how or services) either held steady or posted gains in 2009, according to market watchers such as Gartner Inc., IDC, and Infonetics Research.

Exploit Recycling

One of the most intriguing developments of 2009 involved a recycling campaign of sorts: crackers went with what has worked in the past, recycling code and techniques associated with older attacks (or exploiting existing, still-unpatched vulnerabilities) to pull off new -- and in at least one case, blockbuster -- attacks.

Such was the case with the DDoS attacks that crippled government organs in both the U.S. and South Korea in July: the attacks used code recycled from the notorious MyDoom worm. The not-so-comforting takeaway, security watchers stress, is that that many shops aren't adequately protected against the exploits of old. This suggests an even more disquieting upshot: to the extent that new attacks are able to exploit known or existing vulnerabilities (using known or existing methods), security pros aren’t effectively doing their jobs. (In the case of the Koobface worm, according to researchers with Symantec Corp., code or techniques associated with the infamous Code Red worm were recycled. Code Red, for the record, dates from the summer of 2001.)

Symantec, for its part, offered a far-from-sanguine mid-year assessment. “In the first half of 2009, some of the more recent and highly publicized threats incorporated attack methods used in previous years,” researchers wrote in Symantec’s Security Trends -- 2009 Mid-Year Update.

This wasn’t entirely unexpected. Consider the case of the Conficker worm. It first appeared in November of 2008, boasting an almost sublime melding of the old (namely, techniques associated with the Code Red and Nimda worms) and the new. The same can be said for Koobface, which – even though it wrought its greatest mischief in March of 2009 -- actually first appeared last December.

In other words, IT and security pros were forewarned. “The large-scale distribution of a small number of threats that were characteristic of the Code Red and Nimda attacks were components of the attack techniques employed by the Koobface worm, which continues to propagate via social networks, and the Conficker worm, one of the most complex and widely spread threats to hit the Internet in several years,” noted Symantec researchers.

The Data Breach Disconnect

One of the biggest data breaches to date occurred – or, rather, was reported -- in 2009, when payment card industry (PCI) giant Heartland Payment Systems announced that it had been “the victim of a security breach within its processing system” the year before, in 2008. It still isn’t clear how long Heartland had known about the breach(es). Crackers first gained access to Heartland’s internal network in December of 2007, founder and CEO Robert Carr told Wired.com. By May of 2008, Carr said, they’d secured access to the company’s payment processing network.

What has become clear, however, is that Heartland’s handing of the incident left a much to be desired: to begin with, the company made its disclosure on January 20, 2009 -- the same day Barack Obama was inaugurated as the 44th president of the United States.

Heartland took heat on several fronts: it failed to immediately apologize to its customers and failed to forthrightly disclose the duration or scope of the breach. The company emerged as a notable (if not textbook) example of how not to handle a sensitive data breach. It’s an example companies still don’t seem to have taken to heart.

In a certain sense, security is always going to be a game of catch-up: the bad guys do something characteristically bad -- chiefly by exploiting known or unknown vulnerabilities to gain access to (or otherwise affect the orderly operation of) a system -- and security pros try to contain the damage.

The art of information security lies in the practice of containment: the most secure organizations are those which -- by a combination of technology, policy, and people know-how -- are able to best contain potential exploits. In any such scheme, communication or disclosure is of crucial importance.

When a data breach is at issue, however, disclosure -- far from being an afterthought -- becomes the principal thing. Unfortunately, the first instinct of any corporate entity is to do what Heartland tried to do: focus on limiting disclosure, principally to forestall negative PR fallout. Sometimes there’s a good reason for doing as much; more often than not, there isn’t. In the latter case, companies or organizations usually have bigger problems.

In 2009, a pair of prominent data breaches showcased both scenarios.

In early October, for example, Blue Cross and Blue Shield disclosed that a laptop computer had been stolen from one of its employees. The system in question contained unencrypted information -- including Social Security numbers -- that pertained to every physician affiliated with its health-care system, some 850,000 doctors. The theft had actually taken place in August, officials said; Blue Cross didn’t immediately disclose the incident because it wanted to first determine exactly what data was involved.

Fair enough, but consider the case of a CISSP with a large business consulting firm. On December 1, this person’s employer learned that a laptop system belonging to one of its clients -- a prominent Philadelphia children’s hospital -- had been compromised. The rub, this technologist laments, is that the system had first been compromised a month and a half before -- on October 20. By “compromised,” of course, this CISSP means that the system -- still another laptop computer -- had been stolen. In this case, from a car. Finally, this person reports first learning of the incident the old-fashioned way: by reading about it in the newspaper.

Final Thoughts

This year we saw many ups and downs, particularly on the spam front. In the first half of the year, spam levels were down from the year before, thanks in part to the closing of a notorious spam service provider (McColo) in November of 2008.

The good guys got another win in August of this year, when spam messaging provider Real Host was forced to shut down. According to researchers, however, spam levels on the whole increased throughout the year: Symantec’s last State of Spam report, for example, flagged sequential increases from August through October. By October, in fact, spam levels had more or less equaled their year-ago levels, according to researchers.

More troubling still, experts warned, was the growing size of spam. Spam sent in 2009 was (on average) larger than spam sent last year.

Botnets helped pick up the slack after the demises of both McColo and Real Host, generating (on average) almost 90 billion unsolicited messages each day. By next year, predicts security researcher MessageLabs, botnets “will become autonomous intelligent, with each node containing an in-built, self-sufficient coding in order to coordinate and extend its own survival.” Yikes.

Elsewhere, demand for security products, services, and know-how will almost certainly increase, according to market watchers. That’s an easy prediction. So, too, is the likelihood -- the inevitability -- of data breach; 2010 will probably produce several high-profile -- and probably at least one inadequately disclosed -- data breaches, experts warn. Another still-gestating threat includes a possible uptick in cellular hacking: a prominent German cracking group plans to release a toolkit to crack at least one of the Global Systems for Mobile (GSM) communications encryption algorithms.

The good news here is again something of a double-edged sword: it’s been anticipated -- and predictability is a security professional’s best friend.